darkcomet | bbd2e79112498c9b3bf4c64a4843e7f54a260136846fcb3bbf123eee9c50225f

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
26-06-2024 21:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

13803ebdba0993bab5f7229fd955972b_JaffaCakes118.exe
Size

960KB
MD5

13803ebdba0993bab5f7229fd955972b
SHA1

a5e977d4dcdd53be60f0f48910d1b92ea7628202
SHA256

bbd2e79112498c9b3bf4c64a4843e7f54a260136846fcb3bbf123eee9c50225f
SHA512

457d97542f2114f95a526ab771fca972c6cc41bc07aa4106fa75973ef429f7562dc2e0cce0b146b82648a21459424ec0a395923394cfe5ca4fba05479c60b391
SSDEEP

12288:7kum12MecQTjV49hdWtuL+mi18X/x0JYBOVDaW9Aqhbfxb+FM9TqCPC04:hMXecGV4dRL+/1865VD7AAbJKuO

Score

10^/10

darkcomet rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

13803ebdba0993bab5f7229fd955972b_JaffaCakes118.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation 13803ebdba0993bab5f7229fd955972b_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation	13803ebdba0993bab5f7229fd955972b_JaffaCakes118.exe

Drops startup file 2 IoCs

Processes:

13803ebdba0993bab5f7229fd955972b_JaffaCakes1181.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FacbookUpdate.exe	13803ebdba0993bab5f7229fd955972b_JaffaCakes1181.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FacbookUpdate.exe	13803ebdba0993bab5f7229fd955972b_JaffaCakes1181.exe

Executes dropped EXE 2 IoCs

Processes:

Service.exe13803ebdba0993bab5f7229fd955972b_JaffaCakes1181.exe

pid process

4628 Service.exe
884 13803ebdba0993bab5f7229fd955972b_JaffaCakes1181.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Suspicious use of SetThreadContext 1 IoCs

Processes:

13803ebdba0993bab5f7229fd955972b_JaffaCakes118.exe

description pid process target process

PID 720 set thread context of 4628 720 13803ebdba0993bab5f7229fd955972b_JaffaCakes118.exe Service.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
4628	Service.exe
884	13803ebdba0993bab5f7229fd955972b_JaffaCakes1181.exe

description	pid	process	target process
PID 720 set thread context of 4628	720	13803ebdba0993bab5f7229fd955972b_JaffaCakes118.exe	Service.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

Service.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	4628	Service.exe
Token: SeSecurityPrivilege	4628	Service.exe
Token: SeTakeOwnershipPrivilege	4628	Service.exe
Token: SeLoadDriverPrivilege	4628	Service.exe
Token: SeSystemProfilePrivilege	4628	Service.exe
Token: SeSystemtimePrivilege	4628	Service.exe
Token: SeProfSingleProcessPrivilege	4628	Service.exe
Token: SeIncBasePriorityPrivilege	4628	Service.exe
Token: SeCreatePagefilePrivilege	4628	Service.exe
Token: SeBackupPrivilege	4628	Service.exe
Token: SeRestorePrivilege	4628	Service.exe
Token: SeShutdownPrivilege	4628	Service.exe
Token: SeDebugPrivilege	4628	Service.exe
Token: SeSystemEnvironmentPrivilege	4628	Service.exe
Token: SeChangeNotifyPrivilege	4628	Service.exe
Token: SeRemoteShutdownPrivilege	4628	Service.exe
Token: SeUndockPrivilege	4628	Service.exe
Token: SeManageVolumePrivilege	4628	Service.exe
Token: SeImpersonatePrivilege	4628	Service.exe
Token: SeCreateGlobalPrivilege	4628	Service.exe
Token: 33	4628	Service.exe
Token: 34	4628	Service.exe
Token: 35	4628	Service.exe
Token: 36	4628	Service.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Service.exe

pid process

4628 Service.exe

pid	process
4628	Service.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

13803ebdba0993bab5f7229fd955972b_JaffaCakes118.exevbc.exe

description	pid	process	target process
PID 720 wrote to memory of 4628	720	13803ebdba0993bab5f7229fd955972b_JaffaCakes118.exe	Service.exe
PID 720 wrote to memory of 4628	720	13803ebdba0993bab5f7229fd955972b_JaffaCakes118.exe	Service.exe
PID 720 wrote to memory of 4628	720	13803ebdba0993bab5f7229fd955972b_JaffaCakes118.exe	Service.exe
PID 720 wrote to memory of 4628	720	13803ebdba0993bab5f7229fd955972b_JaffaCakes118.exe	Service.exe
PID 720 wrote to memory of 4628	720	13803ebdba0993bab5f7229fd955972b_JaffaCakes118.exe	Service.exe
PID 720 wrote to memory of 4628	720	13803ebdba0993bab5f7229fd955972b_JaffaCakes118.exe	Service.exe
PID 720 wrote to memory of 4628	720	13803ebdba0993bab5f7229fd955972b_JaffaCakes118.exe	Service.exe
PID 720 wrote to memory of 4628	720	13803ebdba0993bab5f7229fd955972b_JaffaCakes118.exe	Service.exe
PID 720 wrote to memory of 4628	720	13803ebdba0993bab5f7229fd955972b_JaffaCakes118.exe	Service.exe
PID 720 wrote to memory of 4628	720	13803ebdba0993bab5f7229fd955972b_JaffaCakes118.exe	Service.exe
PID 720 wrote to memory of 4628	720	13803ebdba0993bab5f7229fd955972b_JaffaCakes118.exe	Service.exe
PID 720 wrote to memory of 4628	720	13803ebdba0993bab5f7229fd955972b_JaffaCakes118.exe	Service.exe
PID 720 wrote to memory of 4628	720	13803ebdba0993bab5f7229fd955972b_JaffaCakes118.exe	Service.exe
PID 720 wrote to memory of 4628	720	13803ebdba0993bab5f7229fd955972b_JaffaCakes118.exe	Service.exe
PID 720 wrote to memory of 2740	720	13803ebdba0993bab5f7229fd955972b_JaffaCakes118.exe	vbc.exe
PID 720 wrote to memory of 2740	720	13803ebdba0993bab5f7229fd955972b_JaffaCakes118.exe	vbc.exe
PID 720 wrote to memory of 2740	720	13803ebdba0993bab5f7229fd955972b_JaffaCakes118.exe	vbc.exe
PID 2740 wrote to memory of 400	2740	vbc.exe	cvtres.exe
PID 2740 wrote to memory of 400	2740	vbc.exe	cvtres.exe
PID 2740 wrote to memory of 400	2740	vbc.exe	cvtres.exe
PID 720 wrote to memory of 884	720	13803ebdba0993bab5f7229fd955972b_JaffaCakes118.exe	13803ebdba0993bab5f7229fd955972b_JaffaCakes1181.exe
PID 720 wrote to memory of 884	720	13803ebdba0993bab5f7229fd955972b_JaffaCakes118.exe	13803ebdba0993bab5f7229fd955972b_JaffaCakes1181.exe
PID 720 wrote to memory of 884	720	13803ebdba0993bab5f7229fd955972b_JaffaCakes118.exe	13803ebdba0993bab5f7229fd955972b_JaffaCakes1181.exe

C:\Users\Admin\AppData\Local\Temp\13803ebdba0993bab5f7229fd955972b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\13803ebdba0993bab5f7229fd955972b_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:720

C:\Users\Admin\AppData\Local\Temp\plugtemp\Service.exe
C:\Users\Admin\AppData\Local\Temp\\plugtemp\Service.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4628

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xq7t8iej.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:2740

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5F66.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE9B390698A8C49A5B5E956B2CA25F4C.TMP"
3⤵
PID:400

C:\Users\Admin\AppData\Roaming\13803ebdba0993bab5f7229fd955972b_JaffaCakes1181.exe
"C:\Users\Admin\AppData\Roaming\13803ebdba0993bab5f7229fd955972b_JaffaCakes1181.exe"
2⤵
- Drops startup file
- Executes dropped EXE
PID:884

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES5F66.tmp
Filesize
1KB

MD5
b5c326ae60d90eacd50bfb0f7aa5e857

SHA1
20b086659f17428239942a5ee1fbd13424bb8315

SHA256
4517379ed8c7e5a1ee8700d64fa4c5abbd47a81aa98c8de758266202fc321381

SHA512
01f49917b270980aaec59c7913709d304434c5903a3a1fc51d94454dd131d8f3540c149c67ebb30aa20dcfead24d809d09ae72aa6d281d119e27da9f650ee511

Download Submit
C:\Users\Admin\AppData\Local\Temp\plugtemp\Service.exe
Filesize
1.1MB

MD5
d881de17aa8f2e2c08cbb7b265f928f9

SHA1
08936aebc87decf0af6e8eada191062b5e65ac2a

SHA256
b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0

SHA512
5f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcE9B390698A8C49A5B5E956B2CA25F4C.TMP
Filesize
804B

MD5
f61654d85e74e9ca8434cc7680914cb7

SHA1
030242438513a7c3c199b219382aa97c02cfcff7

SHA256
79baf021db0ac4da858028a3fa9043bd9a93e35f3e3d58b0f7ee9505d1659fe4

SHA512
29835920b2e4d19ba4c06f1b367185fc3a3b27d56972fea95a2a4ddd388bf83e64c2fdc34f4db43e42a83469851412333f80986e5b56858de220ad898e2f19c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\xq7t8iej.0.vb
Filesize
348B

MD5
d007d837b472eb92cdc46f3a1ad562ee

SHA1
5b4774056e716551e93e1f6aa3da377713507430

SHA256
3abccaba5ad2e2f2b71694b24d616ebc2bcb93cdcbd1c74cbefa8b2948d8a44a

SHA512
a0054bb92d69daf3a27ff5878cb86018cd7606dcf45195daf7a983580d3407328f6c19aad34375047664d7167922461368e9354a3a7310691e7ee28d05fb45cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\xq7t8iej.cmdline
Filesize
235B

MD5
f4506b343f8e068aa3744e6d391a8892

SHA1
46ca388550eb1eee647885c7a38767e619665487

SHA256
93545b271f6bb411799695f8b8b563d08556f35507c2456a4461b41c0276d94e

SHA512
a16beb96de0152e0b29c24a4e9eeb737cd0d5c42da0944cc903a7390d79bd8b2c1bef65569963c805e6ee710eb38972f6e2f968f0ca58fe59640b9661e7a47d5

Download Submit
C:\Users\Admin\AppData\Roaming\13803ebdba0993bab5f7229fd955972b_JaffaCakes118.exe
Filesize
960KB

MD5
13803ebdba0993bab5f7229fd955972b

SHA1
a5e977d4dcdd53be60f0f48910d1b92ea7628202

SHA256
bbd2e79112498c9b3bf4c64a4843e7f54a260136846fcb3bbf123eee9c50225f

SHA512
457d97542f2114f95a526ab771fca972c6cc41bc07aa4106fa75973ef429f7562dc2e0cce0b146b82648a21459424ec0a395923394cfe5ca4fba05479c60b391

Download Submit
C:\Users\Admin\AppData\Roaming\13803ebdba0993bab5f7229fd955972b_JaffaCakes1181.exe
Filesize
6KB

MD5
3668208041814a386006847384bf759c

SHA1
05fabbf729bf321eb4cacc1d162476ae8c2aecf1

SHA256
d4856d3fe3e86168bab3bbd90acc9c5d6a9bf6edcb3a09315717083da424c6ed

SHA512
98883576fc8e4aa3e93babe911ffecaccfdd7b6326db5c04ac5d1ae67d5320bdfe2c071c8e742f797c8ccd42c1c8c40751ce98694bef70d1193de2151e854693

Download Submit
memory/720-1-0x0000000074A60000-0x0000000075011000-memory.dmp

Filesize
5.7MB

Download
memory/720-2-0x0000000074A60000-0x0000000075011000-memory.dmp

Filesize
5.7MB

Download
memory/720-38-0x0000000074A60000-0x0000000075011000-memory.dmp

Filesize
5.7MB

Download
memory/720-0-0x0000000074A62000-0x0000000074A63000-memory.dmp

Filesize
4KB

Download
memory/2740-22-0x0000000002210000-0x0000000002220000-memory.dmp

Filesize
64KB

Download
memory/4628-13-0x0000000002180000-0x0000000002181000-memory.dmp

Filesize
4KB

Download
memory/4628-42-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/4628-16-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/4628-14-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/4628-12-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/4628-10-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/4628-9-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/4628-6-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/4628-39-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/4628-40-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/4628-41-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/4628-15-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/4628-43-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/4628-44-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/4628-45-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/4628-46-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/4628-47-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/4628-48-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/4628-49-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/4628-50-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/4628-51-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/4628-52-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download